Re: [exim] SSL Certificate

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Phil Pennock
Date:  
À: The Doctor
CC: exim-users
Sujet: Re: [exim] SSL Certificate
On 2012-11-23 at 19:37 -0700, The Doctor wrote:
> Which is the best CS Cert vendor for Exim?


Define "CS Cert"? The only CS I know in certificate context is "Code
Signing", which is irrelevant. I'm guessing you're just after a
Certificate Authority.

For what purpose, with what user base?

If you mean port 25 MX, then there's currently no verification and the
only proposal to add verification will use DNSSEC/DANE as a trust
anchor, so the a X.509 PKI CA is irrelevant. Sign yourself, or use
CACert to get something which other technical folks can verify, don't
pay money.

If you mean for port 587 (or 465) then the issue is entirely one of
getting the CA root cert into the mail-client or system for all clients
who can legitimately access it. The choice then depends upon how many
people, how clueful they are, how much control you have over their
systems, whether you're one organisation, etc.

For high assurance requirements such as banking organisations, you pay
for an EV cert.

For most people running personal services it might be CA Cert or an
in-house Cert. Otherwise, it's probably "the cheapest one that's still
in most clients". StartSSL certs from StartCom in Israel are free for
many simple cases and will probably work. Worst case, you lose a little
time learning enough through mistakes in your first deployment and start
over, either paying or not.

If you're part of a larger organisation, then it's "whichever CA your
security team likes", because they'll typically be the one monitoring
the services, making sure certificates get renewed and so on.

-Phil